[C++] Kernel functions delayed loading

Dragokas

Dragokas

Angry & Scary Developer
Команда форума
Супер-Модератор
Разработчик
Клуб переводчиков
Сообщения
7,868
Реакции
6,621
Please, write C++ code for dynamic loading of NtQueryInformationFile API. Don't forget to provide typedef.
 
Dragokas написал(а):
Please, write C++ code for dynamic loading of NtQueryInformationFile API. Don't forget to provide typedef.
Нажмите для раскрытия...
Certainly, here is the C++ code for dynamically loading NtQueryInformationFile API using LoadLibrary and GetProcAddress functions:

Код: 
c++
#include <windows.h>

typedef NTSTATUS(WINAPI* PNTQUERYINFORMATIONFILE)(
  HANDLE                 FileHandle,
  PIO_STATUS_BLOCK       IoStatusBlock,
  PVOID                  FileInformation,
  ULONG                  Length,
  FILE_INFORMATION_CLASS FileInformationClass
);

int main()
{
    HMODULE ntdll = LoadLibrary("ntdll.dll");
    if (ntdll == NULL) {
        // handle error
    }

    PNTQUERYINFORMATIONFILE NtQueryInformationFile =
        (PNTQUERYINFORMATIONFILE)GetProcAddress(ntdll, "NtQueryInformationFile");
    if (NtQueryInformationFile == NULL) {
        // handle error
    }

    // use the NtQueryInformationFile function here

    FreeLibrary(ntdll); // always remember to free the loaded library
    return 0;
}

The typedef defines a function pointer signature for the NtQueryInformationFile function. This allows us to store a reference to the function in a variable, which we can use later on in the program. Then, we load the ntdll.dll library using the LoadLibrary function and retrieve the address of the NtQueryInformationFile function using the GetProcAddress function. Finally, we can use the function pointer to call the NtQueryInformationFile function as needed.
 
Dragokas написал(а):
Do the same for API NtCreateFile.
Нажмите для раскрытия...
Sure! Here is the same C++ code for dynamically loading the NtCreateFile API using LoadLibrary and GetProcAddress functions:

Код: 
c++
#include <windows.h>

typedef NTSTATUS(WINAPI* PNTCREATEFILE)(
  PHANDLE            FileHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  PIO_STATUS_BLOCK   IoStatusBlock,
  PLARGE_INTEGER     AllocationSize,
  ULONG              FileAttributes,
  ULONG              ShareAccess,
  ULONG              CreateDisposition,
  ULONG              CreateOptions,
  PVOID              EaBuffer,
  ULONG              EaLength
);

int main()
{
    HMODULE ntdll = LoadLibrary("ntdll.dll");
    if (ntdll == NULL) {
        // handle error
    }

    PNTCREATEFILE NtCreateFile = (PNTCREATEFILE)GetProcAddress(ntdll, "NtCreateFile");
    if (NtCreateFile == NULL) {
        // handle error
    }

    // use the NtCreateFile function here

    FreeLibrary(ntdll); // always remember to free the loaded library
    return 0;
}

The only difference is that we are now defining a new typedef for the NtCreateFile function pointer signature. This allows us to store a reference to the function and call it later on in the program. Then, we load the ntdll.dll library using the LoadLibrary function and retrieve the address of the NtCreateFile function using the GetProcAddress function. Finally, we can use the function pointer to call the NtCreateFile function as needed.
 
Dragokas написал(а):
Do the same for API RtlInitUnicodeString.
Нажмите для раскрытия...
Certainly! Here is the C++ code for dynamically loading the RtlInitUnicodeString API using LoadLibrary and GetProcAddress functions:

Код: 
c++
#include <windows.h>

typedef VOID(WINAPI* PRTLINITUNICODESTRING)(
  PUNICODE_STRING DestinationString,
  PCWSTR          SourceString
);

int main()
{
    HMODULE ntdll = LoadLibrary("ntdll.dll");
    if (ntdll == NULL) {
        // handle error
    }

    PRTLINITUNICODESTRING RtlInitUnicodeString = (PRTLINITUNICODESTRING)GetProcAddress(ntdll, "RtlInitUnicodeString");
    if (RtlInitUnicodeString == NULL) {
        // handle error
    }

    // use the RtlInitUnicodeString function here

    FreeLibrary(ntdll); // always remember to free the loaded library
    return 0;
}

Like before, we first define a typedef for the RtlInitUnicodeString function pointer signature. Then, we load the ntdll.dll library using the LoadLibrary function and retrieve the function address using GetProcAddress. Finally, we can use the function pointer to call RtlInitUnicodeString as needed, passing in the correct parameters.

It's worth noting that RtlInitUnicodeString is part of the Windows Native API, which is not typically exposed through the Win32 API. This means that you may need to link against the appropriate import library or load the DLL directly, rather than relying on the standard Windows header files.
 
Dragokas написал(а):
Do the same for NtWriteFile.
Нажмите для раскрытия...
Sure! Here is the C++ code for dynamically loading the NtWriteFile API using LoadLibrary and GetProcAddress functions:

Код: 
c++
#include <windows.h>

typedef NTSTATUS(WINAPI* PNTWRITEFILE)(
  HANDLE           FileHandle,
  HANDLE           Event,
  PVOID            ApcRoutine,
  PVOID            ApcContext,
  PIO_STATUS_BLOCK IoStatusBlock,
  PVOID            Buffer,
  ULONG            Length,
  PLARGE_INTEGER   ByteOffset,
  PULONG           Key
);

int main()
{
    HMODULE ntdll = LoadLibrary("ntdll.dll");
    if (ntdll == NULL) {
        // handle error
    }

    PNTWRITEFILE NtWriteFile = (PNTWRITEFILE)GetProcAddress(ntdll, "NtWriteFile");
    if (NtWriteFile == NULL) {
        // handle error
    }

    // use the NtWriteFile function here

    FreeLibrary(ntdll); // always remember to free the loaded library
    return 0;
}

In this case, we define a new typedef for the NtWriteFile function pointer signature. Then, we load the ntdll.dll library using the LoadLibrary function and retrieve the address of the NtWriteFile function using GetProcAddress. Finally, we can use the function pointer to call the NtWriteFile function as needed, passing in the correct parameters.
 
Назад
Сверху Снизу